Earlier this week, a bug, which was quickly corrected by Twitter, allowed anyone to oblige any person they wanted to follow them as a result of typing in a simple text command. And now users of the social networking Web site are facing yet another threat coming in the form of simple, text-based attacks that are available to mostly anyone.
According to the Sunbelt Blog, the TwitterNET Builder application is the latest, user-friendly tool to make a botnet out of Twitter accounts. The interface consists of a simple dialog box with a "TwitterUsername" text box and a "Build" button. Upon filling up the field with a valid Twitter username and pressing the button, "an executable file is created that will keep an eye on the named Twitter account for a series of commands used to infect, download, attack with DDoS and even kill the connection between Bot and Command channel."
The next step is the trickiest part: the attacker must make the target run the executable file in order to gain control of the account. Editing the icon and file name, coupled with social engineering, is a plausible way of luring the target into getting infected. Once that is done, all the attacker has to do is post simple commands from their Twitter account. Christopher Boyd explained them in more details on the Sunbelt Blog, but commands include:- ordering the target to open a Web page (hidden or viewable);
- launching a DDoS attack against a URL;
- telling the target computer to say something using Windows' text to speech feature;
- downloading a file from the specified URL (and optionally running it);
- and more.
There would be some potential in that botnet-building code, but (hopefully) it is quite weak because the users controlling them are very easy to find: a simple search on Twitter itself for one of the commands reveals all the posts that have been made with that command in it. And posting from a private account (whose posts do not appear in search results) does not activate the botnets; posts have to be public to work. So "in theory it should be easy for Twitter to track / filter / block anyone issuing these commands," as pointed out by Boyd.
The infection file is detected as Hacktool.win32.Twebot.A by Sunbelt and apparently Twitter is looking into the issue but no official statement has been made yet by the company concerning the resolution of this problem.
|
